About this document
This document covers creating the required policy that distributes the proxy configuration and the root CA certificate via the Jamf Pro platform. It does not include steps on any other parts of the Jamf platform including initial Jamf configuration or device enrollment.
Prerequisites
Supported platforms
MacOS 12 and later
iPadOS 16 and later
iOS 16 and later
Downloading the MDM files
The MDM deployment files are available from the Proxy Connector configuration page in the SurePath AI admin interface.
Click Connectors in the CONFIGURE section
Select an existing Proxy connector or click ADD CONNECTOR to create a new one
If creating a new connector, provide a descriptive name and select Proxy as the connector type, then click SAVE
From the connector details page, download the MDM files for your environment using the DOWNLOAD button in the MDM Files section
The downloaded ZIP file contains deployment files for both Windows and Apple platforms. For Jamf Pro deployments, the following Apple configuration profiles are available:
Apple iOS/iPadOS: Configuration profile (
surepath.ai.ios.mobileconfig) for any Apple MDMApple macOS: Configuration profiles for any Apple MDM (
surepath.ai.macos.mobileconfig) and JAMF-specific profiles with user identification (surepath.ai.macos.jamf.email.mobileconfig,surepath.ai.macos.jamf.udid.mobileconfig)
The SurePath AI PAC file
SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.
The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.
The SurePath AI root CA certificate
Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.
User identification and policy application
Organizations can deploy SurePath AI proxy configurations through standard Apple configuration profiles. However, basic configuration profiles typically set a PAC URL without user-specific identifiers, which means all traffic from a device is associated only with the Proxy Connector itself. This approach is known as Connector authentication, where SurePath AI can identify which connector the traffic came from but cannot distinguish between individual users on shared devices or associate native application traffic with specific users.
The JAMF-specific SurePath AI configuration profiles enhance this capability by including unique identifiers in the PAC URL. These profiles leverage JAMF payload variables to include user email addresses or device UDIDs. Organizations deploying through JAMF should use one of these JAMF-specific profiles rather than the basic profile. When email addresses are included in the PAC URL, SurePath AI can immediately identify users and attribute their traffic without requiring any additional steps. When device UDIDs are used as the unique identifier, SurePath AI can associate traffic with users after they sign in to a GenAI service for the first time, enabling ongoing identification of all traffic from that unique identifier.
This improved user identification provides several operational benefits. First, it significantly reduces instances of Connector authentication in User Activity logs, making it easier for admins to audit and report on individual user behavior. Second, it enables more granular policy application based on user identity rather than just device or connector identity. This is particularly valuable for organizations that need to apply different policies to different users or groups, as SurePath AI can enforce user-specific or group-specific policies even for traffic that would otherwise only be identifiable at the connector level.
Configuring Jamf Pro
SurePath AI provides Apple configuration profile (mobileconfig) files that can be deployed through Jamf Pro to configure proxy settings and certificate trust. These files are available from the Proxy Connector configuration page in the SurePath AI Admin UI.
JAMF-specific configuration profiles
For organizations using JAMF Pro, SurePath AI provides configuration profiles that leverage JAMF payload variables to include user-specific identifiers in the PAC URL. These profiles enable user-level traffic attribution without requiring users to authenticate.
The following JAMF-specific profiles are available for macOS devices:
Profile
Platform
Identifier Type
JAMF Variable
surepath.ai.macos.jamf.email.mobileconfig
macOS
User email
$EMAIL
surepath.ai.macos.jamf.udid.mobileconfig
macOS
Device UDID
$UDID
When JAMF deploys these profiles, it automatically substitutes the payload variables with actual values:
Email identification (
$EMAIL): JAMF replaces this variable with the user's email address from JAMF's user records. This enables SurePath AI to immediately identify users and apply user-specific and group-specific policies from the first request.UDID identification (
$UDID): JAMF replaces this variable with the device's unique identifier, which serves as a unique identifier for all traffic from that device. After a user signs in to a GenAI service for the first time, SurePath AI associates that unique identifier with the user, enabling ongoing identification of traffic from that identifier. This approach ensures users sign in before their activity is tracked.
Organizations should use one of these JAMF-specific profiles rather than the basic profile without variables. The choice between email and UDID depends on organizational requirements. Security-focused organizations may prefer UDID-based identification because it requires users to sign in before their traffic is associated with their identity. Email-based identification provides immediate user recognition and policy application, which can streamline the user experience when user email information is reliably available in JAMF.
For iOS and iPadOS devices, use the standard surepath.ai.ios.mobileconfig profile, which configures proxy settings without user-specific identifiers.
Creating the Configuration Profile for MacOS devices in Jamf Pro
Log in to the Jamf Pro web interface
Browse to Computers on the left
Click on Configuration Profiles under Content Management
Click Upload in the upper-right area of the pane
In the Upload OS X Configuration Profile modal, click the Choose File button
Select the appropriate mobileconfig file for macOS (either
surepath.ai.macos.mobileconfigfor basic deployment, or one of the JAMF-specific profiles with user identification:surepath.ai.macos.jamf.email.mobileconfigorsurepath.ai.macos.jamf.udid.mobileconfig)Click Open
On the New macOS Configuration Profile page, click on the Scope tab
Assign the Configuration Profile to the desired targets
Consult the Jamf Pro documentation for more details on scoping
Click Save
The configuration profile will now be deployed
Creating the Configuration Profile for iPadOS and iOS devices in Jamf Pro
Log in to the Jamf Pro web interface
Browse to Devices on the left
Click on Configuration Profiles under Content Management
Click Upload in the upper-right area of the pane
In the Upload iOS Configuration Profile modal, click the Choose File button
Select the
surepath.ai.ios.mobileconfigfileClick Open
On the New iOS Configuration Profile page, click on the Scope tab
Assign the Configuration Profile to the desired targets
Consult the Jamf Pro documentation for more details on scoping
Click Save
The configuration profile will now be deployed
Verifying the SurePath AI integration
After completing the deployment, verify that the endpoint is properly integrated using the SurePath AI Ready tool.